In the first installment of this series I discussed the need for organizations to change their approach to cyber security to an “assumption of breach model,” or an understanding that in today’s threat landscape, it is unrealistic to thwart 100 percent of malicious attacks. That previous post also mentioned that this new approach should focus primarily on three foundational elements:
For the second part of this series, let’s tackle the first element. Who exactly are we talking about when we discuss people? The easiest way to break down the individuals who can potentially impact security in an organization—and to determine how best to utilize each as a security asset —is to categorize them in four groups:
IT practitioners: Your internal IT team interfaces with the various technologies in your organization every day. Depending on the size of your organization you might have one—or in rare cases a few—IT staffers dedicated to security, but in most cases it will be one responsibility among many others for these practitioners. If we look at the current threat landscape as a battlefield, these are your soldiers; they need high-quality training to be effective, specifically on how to operate security systems and solutions that the organization has purchased.
As you’ll see as this series progresses, each of the three foundational elements is tied to the other two, and this is especially true with regard to IT practitioners. In most instances these individuals will also be charged with leveraging the organization’s processes and technologies, so it is critical that they have the requisite training and knowledge.
Employees: These are the workers who use business applications as part of their day-to-day responsibilities. They are not IT professionals and likely aren’t thinking about cyber security other than when they hear about a high-profile breach on the news. For that reason, these people are an organizations’ most significant vulnerability and must be protected by our systems and receive cyber security training.
Former FBI Computer Intrusion Unit head Don Codling recently said at a seminar that “savvy, well-meaning employees can be fooled into doing something to allow attacks access to company networks,” citing an example in which an employee clicks an email that appears to be a subpoena from his or her personal attorney. This example illustrates that without an understanding of what to look for, these employees can be an almost insurmountable vulnerability. But those same well-meaning employees Codling mentioned, if educated properly, can turn from your biggest weakness to your greatest strength.
Leadership: These are your IT directors, your senior leadership and even board members. These are the people that must not only help create the vision, but also generate buy-in from the rest of the organization. The message here is fairly simple: if leadership is disinterested in security—or worse, fails to abide by the procedures they help create—a program has little chance to succeed.
An organization’s leaders must also avoid fostering a culture of blame around cybersecurity. Too often in recent years breaches have led to firings or resignations from C-level executives. While some incidents may warrant personnel changes, in many instances the best thing an organization’s senior leaders can do in the wake of an incident is to pull together and determine how to remediate the situation and ensure it doesn’t happen again.
Third-party consultants: Between managing technologies and infrastructure; identifying qualified candidates to hire; conducting daily operations; and dealing with governance and compliance challenges, security can be expensive and time-consuming.
For most organizations, investing in an entire security team is just not feasible. Security consultants can help augment internal teams and bring valuable experience to a security infrastructure project or incident. They can also free up internal IT staffers to focus less on “run” tasks and more on forward-facing security initiatives.
The Next Element
As I mentioned earlier, the three foundational security elements are interdependent, so check out the third installment of this series, which focuses on policy and process.
I encourage you to read the entire blog series where we discuss how you can implement a strategy that allows your business to operate confidently and without fear:
With over 20 years of experience in the industry, Josh is responsible for executing Carousel's customer-facing Cybersecurity strategy. With a career that began in operations support where customer satisfaction is the number one priority, Josh understands that balancing user experience and manageability, with risk mitigation and overall security posture is crucial to a successful practice. As Director of Security Solutions, Josh helps both customers and colleagues alike make sense of the broad and sometimes confusing landscape of cybersecurity, and arm them with the knowledge and tools to deliver effective business outcomes. His enthusiasm and excitement for not only the cybersecurity space but technology in general shines through with every engagement he is a part of.
Read More Posts From Josh
Security
The threats facing companies today are more complex than they were even a few years ago. Ransomware, for example, used to be considered an annoyance. But hackers have upped their game. The latest generation of ransomware attacks have caused businesses and government entities not only significant financial harm, in some cases they’ve brought operations to […]
7.20.2022
Security
As we look to a post-pandemic world, one of the areas of investment we can expect to see is in building resilience to destructive type attacks. 2020 saw a record number of distributed denial-of-service (DDoS) and ransomware attacks, which is only expected to continue through the rest of this decade. Many organizations are now looking to the […]
6.21.2021
Security
In an earlier post we looked at typical headcount costs and other expenditures to build and maintain the full scope of cybersecurity capabilities in-house. Those figures often put a completely internal team out of reach, but the good news is that a strong cybersecurity strategy doesn’t need to be an all-or-nothing effort. Here we’ll explore […]
5.27.2021
Security
No matter the size, industry, or location, nearly every company today has a cybersecurity strategy. But there are many methodologies your organization can use to protect its digital assets and determining the right approach for your business means balancing your desired cybersecurity posture against your resource availability of staff and money. Given the evolving threat […]
4.19.2021